What to do when you can’t get an app the right privacy settings in Mojave

A few who have upgrade to Mojave are finding apps which either don’t display the expected consent dialogs, or display them once and never again, so preventing them from giving that app access to protected data or services. Here’s what to do if you are having problems.

App Store apps

If you obtained the app from the Mac App Store, and it doesn’t seem to be handling the new privacy protection properly, an important first step is to check that it has the correct entitlements and usage information. You can do this using my free app Taccy, from Downloads above.

App Store apps are locked down in their Sandbox, and only allowed to do what they have requested in entitlements, which are baked into their signature. If an App Store app wants to be able to control other apps using AppleEvents or AppleScript, then it needs a com.apple.security.automation.apple-events entitlement. At present, Taccy doesn’t show this in the checkboxes (I will be adding it soon), but you should find it listed in the text in the scrolling view below.

In addition to the appropriate entitlement, the app also needs a usage string, which is shown in Taccy’s checkboxes. This is the text displayed after the standard wording in the consent dialog. This is only required when the app has been built against the 10.14 SDK, which is also shown in Taccy’s checkboxes.

If the app lacks the entitlement, then it will never be able to prompt you for your consent. There is nothing that you can do about that, unless you want to give it Full Disk Access by adding it to that privacy list, if that is an appropriate workaround. You can also add apps to the Accessibility list yourself. That won’t help you, though, if the app needs to be in the Automation, Location, Camera, or Microphone lists.

If the app lacks the usage string but was built against the 10.14 SDK, then trying to access protected data may cause it to unexpectedly quit. At the very least, expect it to result in an error.

You cannot add it to a list, other than Full Disk Access or Accessibility over which you have control. If you can’t get the app to display the consent dialog, then you should report this fault to its developer, who will almost certainly need to build a new and corrected version of the app to fix it.

Notarized apps

Although Notarization isn’t the same as the limits imposed by the App Store, with respect to privacy controls, it behaves very similarly. The app can only have been built against the 10.14 SDK (notarization isn’t available to apps built using Xcode 9 against the 10.13 SDK), so it will need both the appropriate entitlement and the usage string, as shown in Taccy.

The good news is that a developer who has got this wrong can fix it much more quickly: all they need to do is make the correction, rebuild the app, and submit it for notarization. The latter usually takes but a few minutes to complete, so a fixed version of the app should be in your hands very shortly.

Regular signed apps built against the 10.14 SDK

Entitlements don’t normally apply to apps which are neither notarized nor distributed through the App Store, although in theory a developer can ‘harden’ an app and impose entitlements without getting it notarized. I haven’t come across anyone doing that yet.

When built against the 10.14 SDK, an app must have the appropriate usage string, which you can check using Taccy.

If the app has the correct usage string, then when it tries to access protected data or services, you should be prompted to give your consent. If that doesn’t happen, it suggests a bug somewhere between the app and macOS, and you need to report the problem to its developer. If this is a matter of accessing protected data, you can add the app to the Full Disk Access list yourself, although that may give it broader access than you really want, and you control Accessibility too.

Regular signed apps built against an earlier SDK, such as 10.13

These don’t have entitlements or any requirement for usage strings, so should always display the consent dialog. If they don’t, report this to the developer, and add them to Full Disk Access or Accessibility list if that works around the problem.

Your own AppleScript and similar apps

If made using macOS 10.13 or earlier, these should behave like apps built against an older SDK. If they don’t, then open them using Mojave’s Script Editor and compile them again. If that won’t help, and you have an Apple developer certificate, then you may find that signing them helps them to work properly, although that shouldn’t be required.

You have previously refused consent

Mojave’s privacy system, TCC, doesn’t keep a blacklist of apps for which access to protected data has been refused, by clicking on the Don’t Allow button in the consent dialog. If you make an error, or change your mind, running the app again should result in exactly the same dialog, which you can then accept.

tccfail00

In fact, TCC tries to make this even easier. Let’s say that you saw this dialog and clicked on Don’t Allow. If you then open the Privacy tab of the Security & Privacy pane, and select the appropriate list at the left, you’ll see that TCC has already added that app, but left it unchecked.

tccfail01

Quit the app, click on the padlock in the pane and authenticate, then tick that checkbox. This should enable the app to access the protected data without any further dialogs, although you might find that you are prompted one last time, in which case you can click on OK as you had intended.

tccfail02

This applies not only to the Automation list, but also to narrower classes of data, such as Calendars here.

If you can’t get this to work as shown here, then try uninstalling the app with all its components (helper tools, etc.), restarting your Mac, downloading the latest release, and installing that. If that fails too, contact the developer.

Thanks to Michael Tsai for raising one of the problems considered here.

10Comments

Add yours

1

Michael Tsai - Blog - Mojave’s New Security and Privacy Protections Face Usability Challenges on October 3, 2018 at 6:55 pm

[…] Update (2018-10-03): Howard Oakley: […]

LikeLike
2

Kon Krypton on October 18, 2018 at 8:56 pm

I have an old script application, created in 2012, that now no longer works. It never asks for authorization, it just fails with a message that it’s not authorized to send events to iTunes. I tried re-saving it from Script Editor but that didn’t help. Any ideas?

LikeLike
- 3
  
  hoakley on October 18, 2018 at 9:06 pm
  
  Using the Script Editor in Mojave, when saved as an app it should be given a set of usage strings which should in turn result in the consent dialog.
  If you continue to have problems, look at Script Debugger: there’s now a free Lite version, and its support is second to none.
  I hope that helps,
  Howard.
  
  LikeLike
4

Joe on January 23, 2019 at 2:47 pm

Im using Mojave, and unable to add apps to Accessibility or Full Disk Access. Im able to select the app but it won’t show on the list. Any help would be greatly appreciated.

LikeLiked by 1 person
- 5
  
  hoakley on January 23, 2019 at 3:28 pm
  
  Have you only just upgraded to Mojave, or just applied the 10.14.3 update? If so, I’d suspect the installation/update may be faulty and it is worth trying again, perhaps.
  If it has been working fine and now stopped, then restarting in Safe mode (Shift key held), leaving your Mac a couple of minutes, and restarting in normal mode again might help.
  Howard.
  
  LikeLike
6

hepcat72 on January 29, 2019 at 9:41 pm

I have a handful of apps created with the Fluid app (fluidapp.com) for my own use. After upgrading to Mojave, none of my automator services with operate on selected text will work in any of the fluid-created apps. I have added them to accessibility and to full disk access, but they still generate an error when I try to run a service on text displayed in them. Is there any way around this?

LikeLiked by 1 person
- 7
  
  hoakley on January 29, 2019 at 9:52 pm
  
  One suggestion that I have seen is that you need to remove an invalid signature in each Fluid app using a command of the form
  codesign --remove-signature AppCreatedInFluid.app
  However, I don’t know what FluidApp is doing, and if that doesn’t work, I suggest that you contact its developer to ask them for advice.
  Howard.
  
  LikeLike
8

Robert William Leach on January 29, 2019 at 10:42 pm

Yeah. I sent them a note before I commented here. I believe that it’s just creating a web browser that defaults to the URL you enter and presents it as if it’s an app version of that website.

I can’t imagine that the apps it creates are code-signed. I’ll look tomorrow. I was thinking of trying to sign them myself. I created an app once before that we distribute.

LikeLiked by 1 person
9

Prateek Singh on August 27, 2019 at 7:07 am

I am unable to add system events for eclipse when i try to run a code and i want my code to fetch a document from my local machine ..using apple script but i am not able to get any authorisation as well

LikeLiked by 1 person
- 10
  
  hoakley on August 27, 2019 at 7:29 am
  
  Have you tried stripping quarantine flags from all scripts and anything else which has to be executed, using my free xattred?
  macOS now refuses to run any sort of script with a quarantine flag set on it, apparently.
  Howard.
  
  LikeLike

Share this:

Like this:

Related